Digging Deep Into The Hidden Networks

February 2019 | Ramandeep Singh

‍

You’re working in a corporate network where keeping critical systems and normal users in a single network is not recommended. Imagine yourself pentesting this network with n-layered security architecture, made intentionally to protect internal services, keeping Defense-In-Depth in mind.

‍

This can be tricky…let’s dig in on how to work your magic.

‍

Routing

This is the backbone process of the networking principles that determines how devices in WAN networks communicate. Routers (layer three devices) route the data packets to the relevant destination.

‍

Pivoting

In simple words, it’s a process of accessing an inaccessible network by taking leverage of a compromised host on the network.

Using this tunneled routing, you can pivot all requests to the target inaccessible host via compromised host.

‍

Behind the Scenes – Pivoting Process

The compromised host is connected to the router that connects to the demilitarized zone (DMZ) with privileges to access the systems (for example: a user authorized to access DMZ).

‍

Time to use metasploit:

‍

‍

Let’s Pivot

Remember routing? Let’s talk about it more. Once the first target is compromised, you can then create a custom routing rule for pivoting.

‍

‍

With the autoroute session in place, you can access the 8.8.8.0/24 network. Arp scanner would be good, right? Let’s see how an attacker uses it:

‍

‍

‍

Sweet! Now, it’s time to have some fun utilizing pivoting. As the session is already initialized, routing configurations can be forwarded over a sock4 proxy that can be used within a Metasploit framework.

‍

‍

Once it’s set up, port forwarding is the way to go, which is available within the Metasploit framework as a module. With a local port, you can forward a connection request to a port available on the target 8.8.8.2

‍

With a nmap scan using proxychains, you can figure out what ports open on the target that you can use to add for port forwarding.

‍

‍

Digging down further, you can use the browser and visit port 9090 on your machine to check the service on port 80 of the target.

‍

‍

Voila! Now you can try tools like hydra to guess credentials for login. If not, find your way in with known exploits for the running services.

‍

Strategies to Mitigate these types of Risks

Setup systems in the DMZ structure to be accessible only within DMZ structures.